Re: [http-auth] Why is there no SASL support in HTTP?

Yoav Nir <ynir.ietf@gmail.com> Mon, 14 August 2017 17:52 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8505C1323B6 for <http-auth@ietfa.amsl.com>; Mon, 14 Aug 2017 10:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxqJIJ3fbaS9 for <http-auth@ietfa.amsl.com>; Mon, 14 Aug 2017 10:52:12 -0700 (PDT)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C6F01323C4 for <http-auth@ietf.org>; Mon, 14 Aug 2017 10:52:12 -0700 (PDT)
Received: by mail-wm0-x243.google.com with SMTP id q189so15320263wmd.0 for <http-auth@ietf.org>; Mon, 14 Aug 2017 10:52:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=3mgE5pEhWkS6jGcYkWTXCtDZZDZ5UpU8GxaKtoY/OMM=; b=lkdWCONWUMP6rqsNcYQapLe9AQ3BjHiCR6no7fQafYzw0z1uBbTwrxkmn6kk4iUbcS 98wclHSdRAIduoMoUrc+pOb2QlRL0+gRYHfD/98IfhqzDZY52OH33dp61W94FyvFYIWZ 4m6BkHj6mHb7Li4Ev42gukh2WwuXWuY49rHC92Qc6Pk6hqjkw/fqTmMdNYW+/cj1OzUA tHweSjBtmXOFj/auORlA9FuljJOQpb7gm5l9HiahhXvzDG1ld7Fx2JbPofNh+EW5eB+2 IMirP28SeOJNoTrI085yEGK4Ra+lcGwJJxGRBqGUX/YSpfYv7c4h0U3UoBkLvqxETSm1 7Beg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=3mgE5pEhWkS6jGcYkWTXCtDZZDZ5UpU8GxaKtoY/OMM=; b=nnsAt7NVYoT1AEm4UZVKoTd88++ZfkCXhor1nHi2jdYOYegK53tveQqnk/TO0EZDDx 9RRsrVk6KhqmjtmkNT8fTVkjO0Bh1KZ/Ml9ojTGtDYiT4t8Jo9Dcpv93of+LNsnrtL94 HDPSfL4PrVW1v4IwzlZb4810WCZVALwceog/hJ0rh2ptGOGKQbXxQaHW6Vukjaht3Y7s tguEq8TY5e4DOw0rtRtHY7zmmkKNQrjZfk/85U3o2uf/EeKR4cw58WoLJAfMhixEi1FU Okfj2GsM2t+aHnPmhI9pvgUZ1+X8dm31y88HIPxId4+3AMw1pzWxb4c+C9qFB5y3gYic vtGw==
X-Gm-Message-State: AHYfb5hVz273VKJmRn9b0M2Rk97Rpmy0Yubf1qJ6LAXxFnKRXenbHnAC sodigUSmSRBTow==
X-Received: by 10.80.147.134 with SMTP id o6mr26180496eda.102.1502733130599; Mon, 14 Aug 2017 10:52:10 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id x35sm4395353edx.5.2017.08.14.10.52.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Aug 2017 10:52:09 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <98D653C8-06F9-4BA2-B086-B748325D13D1@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_160FB130-7BC1-4BC5-B6B2-19885DE86549"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 14 Aug 2017 20:52:07 +0300
In-Reply-To: <5991CD93.5090203@openfortress.nl>
Cc: http-auth@ietf.org
To: Rick van Rein <rick@openfortress.nl>
References: <586A3C94.4090504@openfortress.nl> <5991CD93.5090203@openfortress.nl>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/9vPNnUw6-6bnG01GY2Ky-cFPc6I>
Subject: Re: [http-auth] Why is there no SASL support in HTTP?
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 17:52:14 -0000

Hi, Rick.

Since this is security-related and does not naturally belong to any existing working group, the way to go is to send a message to the SAAG list (security area advisory group) and see if it generates interest there.

Yoav

> On 14 Aug 2017, at 19:19, Rick van Rein <rick@openfortress.nl> wrote:
> 
> Hello former WG,
> 
> In Januari I wrote...
> 
>> I've been wondering why HTTP Authentication does not support SASL, but
>> instead chooses independent mechanisms from SASL?
> 
> ...and given the positive replies back then, I have now written a draft
> to cover this idea.
> 
> https://datatracker.ietf.org/doc/draft-vanrein-httpauth-sasl/
> 
> Related to this is a proposal that can be helpful to pass SASL over EAP
> to (shared) backend infrastructure,
> 
> https://datatracker.ietf.org/doc/draft-vanrein-eap-sasl/
> 
> 
> It includes channel binding, which AFAIK is new to HTTP, but SASL is
> clear about how to do this: skip over the application protocol and
> incorporate TLS through tls-unique, as a minimum mechanism.  So the
> reasoning for SCRAM-* to not support it because HTTP does not define it,
> does not seem to apply here.  I hope I'm not poking in a hornet's nest
> by saying this...
> 
> 
> Given that the HTTPAUTH WG has been dismantled, I am not sure what to do
> next.  Any advise is welcome.
> 
> 
> Best wishes,
> 
> Rick van Rein
> InternetWide.org / ARPA2.net / OpenFortress.nl
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth